diff --git a/src/core/lib/security/credentials/google_default/google_default_credentials.cc b/src/core/lib/security/credentials/google_default/google_default_credentials.cc
index 4ed18a4c606..fa0a2206973 100644
--- a/src/core/lib/security/credentials/google_default/google_default_credentials.cc
+++ b/src/core/lib/security/credentials/google_default/google_default_credentials.cc
@@ -59,7 +59,6 @@ using grpc_core::Json;
  * means the detection is done via network test that is unreliable and the
  * unreliable result should not be referred by successive calls. */
 static int g_metadata_server_available = 0;
-static int g_is_on_gce = 0;
 static gpr_mu g_state_mu;
 /* Protect a metadata_server_detector instance that can be modified by more than
  * one gRPC threads */
@@ -91,7 +90,7 @@ grpc_google_default_channel_credentials::create_security_connector(
   bool use_alts =
       is_grpclb_load_balancer || is_backend_from_grpclb_load_balancer;
   /* Return failure if ALTS is selected but not running on GCE. */
-  if (use_alts && !g_is_on_gce) {
+  if (use_alts && alts_creds_ == nullptr) {
     gpr_log(GPR_ERROR, "ALTS is selected, but not running on GCE.");
     return nullptr;
   }
@@ -281,15 +280,10 @@ static void update_tenancy() {
 
   /* Try a platform-provided hint for GCE. */
   if (!g_metadata_server_available) {
-    g_is_on_gce = g_gce_tenancy_checker();
-    g_metadata_server_available = g_is_on_gce;
+    g_metadata_server_available = g_gce_tenancy_checker();
   }
   /* TODO: Add a platform-provided hint for GAE. */
-  gpr_mu_unlock(&g_state_mu);
-}
 
-static void update_metadata_server_available() {
-  gpr_mu_lock(&g_state_mu);
   /* Do a network test for metadata server. */
   if (!g_metadata_server_available) {
     g_metadata_server_available = is_metadata_server_reachable();
@@ -310,6 +304,8 @@ static grpc_core::RefCountedPtr<grpc_call_credentials> make_default_call_creds(
   grpc_core::RefCountedPtr<grpc_call_credentials> call_creds;
   grpc_error* err;
 
+  update_tenancy();
+
   /* First, try the environment variable. */
   char* path_from_env = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
   if (path_from_env != nullptr) {
@@ -350,10 +346,7 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
   GRPC_API_TRACE("grpc_google_default_credentials_create(%p)", 1,
                  (call_credentials));
 
-  update_tenancy();
-
   if (call_creds == nullptr) {
-    update_metadata_server_available();
     call_creds = make_default_call_creds(&error);
   }
 
@@ -367,13 +360,19 @@ grpc_channel_credentials* grpc_google_default_credentials_create(
     grpc_channel_credentials* alts_creds =
         grpc_alts_credentials_create(options);
     grpc_alts_credentials_options_destroy(options);
-    auto creds =
-        grpc_core::MakeRefCounted<grpc_google_default_channel_credentials>(
-            grpc_core::RefCountedPtr<grpc_channel_credentials>(alts_creds),
-            grpc_core::RefCountedPtr<grpc_channel_credentials>(ssl_creds));
-    result = grpc_composite_channel_credentials_create(
-        creds.get(), call_creds.get(), nullptr);
-    GPR_ASSERT(result != nullptr);
+    if (alts_creds == nullptr) {
+      gpr_log(GPR_ERROR,
+              "Could not create google default credentials. Are you running on "
+              "GCE?");
+    } else {
+      auto creds =
+          grpc_core::MakeRefCounted<grpc_google_default_channel_credentials>(
+              grpc_core::RefCountedPtr<grpc_channel_credentials>(alts_creds),
+              grpc_core::RefCountedPtr<grpc_channel_credentials>(ssl_creds));
+      result = grpc_composite_channel_credentials_create(
+          creds.get(), call_creds.get(), nullptr);
+      GPR_ASSERT(result != nullptr);
+    }
   } else {
     gpr_log(GPR_ERROR, "Could not create google default credentials: %s",
             grpc_error_string(error));
diff --git a/test/core/security/credentials_test.cc b/test/core/security/credentials_test.cc
index 8029c023f35..c1a66e4bcc8 100644
--- a/test/core/security/credentials_test.cc
+++ b/test/core/security/credentials_test.cc
@@ -1542,7 +1542,7 @@ static void test_google_default_creds_call_creds_specified(void) {
   grpc_composite_channel_credentials* channel_creds =
       reinterpret_cast<grpc_composite_channel_credentials*>(
           grpc_google_default_credentials_create(call_creds));
-  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
+  GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
   GPR_ASSERT(channel_creds != nullptr);
   GPR_ASSERT(channel_creds->call_creds() != nullptr);
   grpc_httpcli_set_override(compute_engine_httpcli_get_success_override,
@@ -1601,7 +1601,7 @@ static void test_google_default_creds_not_default(void) {
   grpc_composite_channel_credentials* channel_creds =
       reinterpret_cast<grpc_composite_channel_credentials*>(
           grpc_google_default_credentials_create(call_creds.release()));
-  GPR_ASSERT(g_test_gce_tenancy_checker_called == true);
+  GPR_ASSERT(g_test_gce_tenancy_checker_called == false);
   GPR_ASSERT(channel_creds != nullptr);
   GPR_ASSERT(channel_creds->call_creds() != nullptr);
   run_request_metadata_test(channel_creds->mutable_call_creds(), auth_md_ctx,